At some point, toolsbeta stopped successfully producing Kubernetes accounts. The problem is that it generates a CSR and after approval, it doesn't actually append a certificate to the CSR for use (the normal workflow for the certificates API).
After investigating for some time, I cannot quite find a conclusive error or issue. maintain-kubeusers is in a crashloop with a misleading error:
Certificate creation stalled or failed for <whatever> Path /data/project/<tool>/.toolskube is not writable or failed to store certs somehow Traceback (most recent call last): File "maintain_kubeusers.py", line 7, in <module> runpy.run_module("maintain_kubeusers", run_name="__main__") File "/usr/lib/python3.7/runpy.py", line 208, in run_module return _run_code(code, {}, init_globals, run_name, mod_spec) File "/usr/lib/python3.7/runpy.py", line 85, in _run_code exec(code, run_globals) File "/app/maintain_kubeusers/__main__.py", line 7, in <module> main() File "/app/maintain_kubeusers/cli.py", line 174, in main tools, cur_users["tools"], k8s_api, args.gentle_mode File "/app/maintain_kubeusers/utils.py", line 55, in process_new_users api_server, ca_data, gentle File "/app/maintain_kubeusers/user.py", line 261, in write_kubeconfig self.write_certs() File "/app/maintain_kubeusers/user.py", line 271, in write_certs cert_file.write(self.cert) TypeError: a bytes-like object is required, not 'NoneType'
Basically, it tries to get the bytes object from the certificate field of the status of the approved CSR and gets "None" because the field itself isn't even there. It is behaving as though there is no cluster signer enabled, but the appropriate cli args are clearly on the kube-controller-managers.
I've been investigating the new signerName whatnot, which totally breaks some workflows, btw, but that doesn't seem directly related since you can still use the unknown-legacy signer in v1beta1. This doesn't seem to be affecting tools.